Dumb Apple Mistake Allowed Account Hijacks

Below:

Next story in Tech and gadgets

Although Apple has spent a good deal of time and effort patching
security vulnerabilities over the last few weeks, its audience
keeps finding new ones. Apple has already squashed its latest
potentially troublesome exploit, but not before locking users out
of a potentially system-saving update.

The problem concerned Apple's iForgot service, which allows users
to reset forgotten passwords, prompting them only for an
email address and a date of
birth. Normally,
Apple requires users to provide the answers to two security
questions after this, which involve hard-to-guess personal
details.

However, by stopping the page loading midway through, exploiters
could access an authentication URL. A few short modifications
allowed the hackers to bypass the security questions altogether.
From here, changing a user's password and accessing anything in
his or her account, from financial information to billing
addresses, would be easy.

An unauthorized password change is problematic enough on its own,
but exploiters could then activate Apple's two-step
verification process (introduced only last week), effectively
locking a legitimate user out of his or her own account. Briefly,
two-step verification allows users to require both a password and
a separate confirmation code each time they make a purchase in
iTunes or the App Store.

Apple attempted to address this issue by implementing a three-day
waiting period before enabling the two-step safeguard. This
proved problematic, however, as it effectively gave exploiters a
three-day window to reset passwords. [See also:
Five Apple Security Myths and the Hard Truths ]

While iForgot went offline for a while as Apple addressed the
security issue, it is now up and running again, minus the URL
vulnerability. Now that its initial missteps are over, Apple's
two-step verifications should make purchases more secure, but its
security track record has been all over the map recently. As
usual, the best course of action is to secure
your devices to the best of your ability, and hope for the best.